coheigea commented on a change in pull request #483: HttpHeaderHelper:
String.replace instead of Pattern.matcher().replaceAll
URL: https://github.com/apache/cxf/pull/483#discussion_r241832391
##########
File path: core/src/main/java/org/apache/cxf/helpers/HttpHeaderHelper.java
##########
@@ -112,8 +111,8 @@ public static String mapCharset(String enc, String deflt) {
}
// Charsets can be quoted. But it's quite certain that they can't have
escaped quoted or
// anything like that.
- enc = charsetPattern.matcher(enc).replaceAll("").trim();
- if ("".equals(enc)) {
+ enc = enc.replace('"', ' ').replace('\'', ' ').trim();
Review comment:
Is there a reason to replace the previous behaviour (empty String) with a
whitespace? Also, it's only replacing the first instance of each? I'm just
wondering if there might be an attack where an attacker could force using a
charset by escaping twice in a row with the new code.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
